Re: postMessage: origin serialized too early from Thomas Roessler on 2009-06-14 (public-html@w3.org from June 2009)

From: Thomas Roessler <tlr@w3.org>
Date: Sun, 14 Jun 2009 12:16:08 +0200
To: Ian Hickson <ian@hixie.ch>
Cc: public-html@w3.org
Message-Id: <83162384-C5AE-4A67-898C-E1B02FDF5C30@w3.org>

On 12 Jun 2009, at 02:20, Ian Hickson wrote:

> On Wed, 27 May 2009, Thomas Roessler wrote:
>>
>> Background:
>>  http://krijnhoetmer.nl/irc-logs/webapps/20090527
>>
>> In HTML5, section 8.2.3, point 5, mandates that the origin  
>> attribute of a
>> MessageEvent event must be set to the unicode serialization of the  
>> origin of
>> the script that invoked postMessage.  That implies that an opaque  
>> origin is
>> serialized to the string "null" here.
>>
>> As a consequence, when the event is handled, it is *not* possible  
>> to set the
>> targetOrigin parameter of a possible response message to a value  
>> that would
>> bind it to the original message's sender, if that sender has an  
>> opaque origin.
>>
>> Remedy: the origin attribute of an event of type MessageEvent ought  
>> to behave
>> like a proper origin, even if it is an opaque one; i.e., be  
>> comparable to
>> other opaque origins in the same-origin check, and serialize to  
>> "null".
>> Serialization should not occur when the attribute is constructed.
>
> This would require constructing an opaque JS object that represents an
> origin. This has never been exposed before. Do we really want to do  
> this?
> What is the use case? The only cases on the Web where this can  
> happen seem
> to be cases like data: URIs generating custom subdocuments, but that  
> seems
> like a very strange edge case. In such cases, scripts can just  
> communicate
> directly anyway.

Communicating out of (and back into) sandboxed iframes comes to mind  
as the other use case, besides the widget work.

> I think it would make more sense to wait until we have a clear need  
> to do
> this before adding this feature. We can always retrofit it by making  
> the
> objects serialise to a string.

So, what's the downside to serializing opaque origins into long random  
numbers that can in turn be compared to them?  (Or, put differently,  
what - besides CORS and the Origin proposal - is the use case for  
serializing opaque origins into "null" throughout HTML5?)

> (It would also make it impossible to generate custom events of that  
> type.)

(I don't have a particular preference between origins as opaque  
objects and opaque origins that serialize into long, random strings;  
what I do care about is the symmetry breach that occurs in postMessage.)

Received on Sunday, 14 June 2009 10:16:16 UTC